Connected Apps for Developers
Anypoint Platform provides a comprehensive set of APIs that developers can use to extend functionality. With the Connected Apps feature, developers can delegate access to applications that use APIs to interact with Anypoint Platform programmatically. While some might use the Connected Apps feature to build CI/CD pipelines, others can productize additional third-party use-cases on top of Anypoint Platform.
In addition to enabling new flows to authenticate users, developers can enable or disable clients and view client usage. For example, developers can see how many organizations are using the app and how many users have access.
The Connected Apps feature supports OAuth 2.0 and OpenID Connect. As such, developers must ensure their app can use tokens to request access to user data. To find out what specific OpenID Connect capabilities are supported, refer to the information provided in the discovery endpoint. All scopes in the endpoint map directly to permissions available in Anypoint Platform, with some exceptions noted in the Endpoint Scopes section.
To foster a consistent authentication experience for end users, third-party developers with their own websites or web apps can allow users to sign in using the Sign in with Anypoint Platform option.
Developers who have the organization administrator role can create apps and specify access scopes in Anypoint Platform.
When a developer creates an app, the app requests access to user data. When an end user receives such a request and authorizes the app to access their data, the app receives an access token, which allows the app to call Anypoint Platform on the user’s behalf. The access token allows the app to see who the user is by using the user’s Anypoint Platform credentials.
Most of the scopes in the discovery endpoint map directly to existing permissions in Anypoint Platform. Other available scopes are defined as follows:
full: Full access to anything the user can do.
read:full: Read-only access to anything the user can read.
openid: Read-only access to the user’s username and unique Anypoint ID.
profile: Read-only access to the user’s Anypoint profile.
offline_access: Access to the user’s data when they are not logged in.
Apps that use
To work with OpenID Connect, apps that require access to user data when the user isn’t logged in have to exchange refresh tokens for new access tokens.
Refresh tokens expire after 90 days. Access tokens expire after the user’s session expires. If the app is using the authorization code grant type, the
offline_access scope is required to use refresh tokens after original access tokens expire.
To request a new access token, you must send a request to the token endpoint using the
refresh_token grant type.
When authentication is successful, a refresh token is exchanged for an access token.
The following example shows the structure of a token request given a pre-existing refresh_token:
POST /api/v2/oauth2/token Content-Type: application/x-www-form-urlencoded grant_type=refresh_token&client_id=<your_client_id>&client_secret=<your_client_secret>&refresh_token=<your_refresh_token>
Assuming the token request is fulfilled, the refresh token received in the endpoint response is similar to a regular token response, but it might not contain an
For seamless implementation, developers can integrate a button into the front end of their apps with a pre-built template and set of components. They can add this widget using the following code:
<anypoint-signin scopes="full" redirecturi="...." clientid="…."> </anypoint-signin>
For more information about how to embed the button, refer to the developer playground.
Before you create an app as an organization administrator, consider the following requirements and restrictions:
Your organization can own up to 200 connected apps.
clientIDis automatically assigned and can’t be modified. However, you can modify client secrets in the Application Settings page.
Your app is owned by your organization; any organization administrator can control it.
You should also determine the use-case and whether the app is internal to your company or is a third-party application that can be distributed outside of your organization. To create your app, follow these steps:
From the Access Management home page, click the Connected Apps tab.
Click Create App.
Create your app by completing the fields in the Create App page.
Organization Administrators may enable a whitelist to control which apps can access their users' data. When your app is whitelisted, only the set of scopes associated with the app are reviewed and approved by the administrator. If you add new scopes to your app at a later date, you are unable to request those scopes from users until the admin re-approves your app. Existing authorizations and new authorizations using the already-whitelisted set of scopes continue to work. For more information, see connected apps for administrators.